Privacy on Ice: Canada Maintains GDPR Adequacy Status Despite Frozen Privacy Reforms

Privacy on Ice: Canada Maintains GDPR Adequacy Status Despite Frozen Privacy Reforms

The European Commission has found that Canada (among 10 other countries) continues to provide an adequate level of protection of personal information transferred from the EU to recipients that are subject to Canada’s Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”). The European Commission’s finding is set out in a January 15, 2024 report reviewing its previous adequacy decisions.

The finding provides welcome news for organizations that process personal information in Canada that belong to data subjects within the European Economic Area. The European Commission’s finding permits data to flow freely into Canada without the need for burdensome compliance measures that would otherwise apply. Though, organizations should be warned that the adequacy finding does not apply (or may apply only in a limited capacity) to Canadian organizations that are not subject to PIPEDA or that conduct certain data processing activities that are outside of the scope of PIPEDA’s jurisdiction.

Separately, the finding may also ease the pressure on the Federal government to rush the passing of statutory privacy reform that is currently under consideration by the Standing Committee on Industry and Technology. In particular, Bill C-27 would replace the privacy provisions in PIPEDA with a modernized Consumer Privacy Protection Act (the “Proposed CPPA”) that would be enforced by a newly established tribunal armed with significant penal power. In presenting its adequacy finding relating to Canada, the European Commission referenced the proposed reform approvingly, but did not expressly condition the adequacy finding on its passing.

European Commission Adequacy Status Explained

The General Data Protection Regulation (colloquially known as the “GDPR”) restricts organizations from transferring personal information to a country outside of the European Economic Area unless either: (1) the European Commission has decided that the recipient jurisdiction ensures an adequate level of protection for such information; or (2) the organization transferring the information can demonstrate appropriate safeguards for the protection of such information.

There is meaningful advantage for organizations operating within countries found to provide adequate levels of protection. In absence of a favourable adequacy finding, the process for demonstrating appropriate safeguards is onerous and commonly includes establishing strict binding corporate rules for the processing of personal information or entering into an agreement with prescribed standard contractual clauses. As such, the process of demonstrating appropriate safeguards is almost certain to result in the non-European entity having to adhere to a much higher standard for privacy protection than is otherwise required in the organization’s ordinary course.

Canada has benefited from an adequacy decision adopted by the European Commission pursuant to the EU’s Data Protection Directive of 1995. Alongside Canada, the European Commission also previously determined that Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay ensure an adequate level of protection for personal information transferred from the EU (the “Initial Adequacy Decisions”).[1]

The Initial Adequacy Decisions remained in force following the adoption of the GDPR in 2018. However, the GDPR introduced a requirement to review adequacy decisions every four years. The European Commission’s recent report is the culmination of its first review of the Initial Adequacy Decisions.[2]

Overview of the Review Process and the EU Commission’s Findings

The European Commission concluded that all countries that were the subject of the Initial Adequacy Decisions, including Canada (with respect to commercial operators), continue to ensure an adequate level of protection of personal information transferred from the European Economic Area.

In its review, the European Commission emphasized the exponential development of digital technologies and the growing importance of adequacy decisions to facilitate stable, secure and competitive commercial data flows. In evaluating the continued adequacy of protections offered by Canada and the other countries noted above, the European Commission considered the evolution of each country’s respective legal frameworks governing the processing of personal information by organizations and the ability of government to access and use personal information held by such organizations.

With respect to Canada, the European Commission found that since the release of the initial decision relating to Canada in 2001, PIPEDA has been strengthened through amendments (principally pertaining to valid consent and mandatory data breach notification) and through case law and guidance from the Office of the Privacy Commissioner of Canada. Notably, while the European Commission recognized approvingly that Canada is currently undergoing a legislative reform of PIPEDA (including in areas that it considers relevant to the adequacy finding), it stopped short of conditioning the adequacy determination on Canada’s implementation of such reform. Though, it noted that it is closely monitoring future developments in Canada and, more broadly in relation to all countries evaluated, cautioned that it reserves the right to suspend, amend or withdraw an adequacy decision where developments in an adequate country would negatively affect the level of data protection.

The European Commission also found that public authorities in Canada are subject to appropriate limitations and safeguards under the Canadian Charter of Rights and Freedoms, case law, public sector data protection legislation and rules, and that the Canadian legal system provides effective oversight and redress mechanisms accessible to non-Canadian nationals or residents.

Potential Impact on the Fate of Bill C-27

Despite the European Commission’s comments regarding welcome statutory privacy reform in Canada and that it is monitoring developments in this regard, the timing of the adequacy finding may undermine the near-term passage of such reform due to incidental headwinds slowing the legislative progress of Bill C-27.

The privacy reform currently under consideration originated in predecessor legislation that was first proposed in November 2020 pursuant to Bill C-11, which died on the Order Paper in 2021 upon the dissolution of the former government. Bill C-11 was essentially re-introduced by the next government in June 2022 by way of Bill C-27. However, in addition to the re-introduction of the Proposed CPPA and tribunal, Bill C-27 also introduced a newly proposed and hotly contested Artificial Intelligence and Data Act (the “Proposed AIDA”) that would establish requirements surrounding the design and use of AI systems. As Bill C-27 has progressed through the legislative process, its advancement has been stymied by debate and disagreements regarding the Proposed AIDA.

So why does this matter? Well, it was widely understood that one of the driving motivations for Canada’s statutory privacy reform was to avoid the now obsolete risk of losing adequacy status. It may have been possible that a looming adequacy decision would have imposed necessary pressure to resolve outstanding disagreements with the Proposed AIDA to facilitate the passage of the Proposed CPPA. However, the legislative dynamic has likely changed with the delivery of the European Commission’s favourable adequacy finding notwithstanding the current statutory limbo. If Bill C-27 does not pass before the next Federal election – which will occur in October 2025 or sooner – the proposed reform will suffer the same fate as Bill C-11, requiring the next government to start from scratch (once again).

The recent adequacy finding does not extinguish the need for reform considering the European Commission’s comments and other domestic pressures to modernize Canada’s privacy framework. However, the adequacy finding may ease the pressure on the Federal government to rush the passing of Bill C-27 as debate concerning the Proposed AIDA plays out.

[1] Canada is the only country in which the adequacy status was limited to “commercial operators”.

[2] The first review was delayed by two years to accommodate judicial commentary by the Court of Justice of the European Union on key elements of the adequacy standard and other related developments in connection with the Schrems II case.

by Mitch Koczerginski

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2024